Changelog: New Firewall and Client API Updates

L3 Firewall Rules Programmable via API

The MX layer 3 firewall rules can be found under Security Appliance > Firewall > Layer 3 > Outbound rules in Dashboard. The L3 firewall ruleset allow outbound firewall filtering for all traffic crossing a routed boundary. This includes both inside-to-outside (LAN port > WAN port) packets as well as inter-VLAN routed traffic within the MX.

While the firewall UI makes adding or modifying rules simple, it’s not well suited for bulk import of hundreds or thousands of entries. Enter L3 FW API!

  • Issue a get /networks/[networkId]/l3FirewallRules request to return the active L3 firewall rules for an MX network.
  • Issue a put /networks/[networkId]/l3FirewallRules command to create or modify the L3 firewall rules of an MX network.

The list of parameters available is ever-changing, but below is a quick snapshot of what’s supported today.

meraki l3 fw api parameters

Interesting Observations

First, FQDN-based destination rules are supported and can be added via the API interface. This is very cool. FQDN-based source/destinations are also supported in the UI beginning with wired-13 firmware.

Second, VLAN-based addresses can be used for template deployments. For example, VLAN(10).1 would dynamically match the .1 address in VLAN 10’s IP space for all networks. Similarly, VLAN(11).* would match all IP addresses in VLAN 11 for all networks bound to the template.

Even though most customers don’t have the need for this level of firewall programability, the feature is now enabled by default for all Dashboard organizations with API privileges.

New Group Policy API Calls

The introduction of group policy API calls enables administrators to list group policy elements and programmatically apply a policy to a specific device in a network based on the device’s MAC address.

  • Issue a get /networks/[id]/groupPolicies to list the group policies in a network.
  • Issue a get /networks/[networkId]/clients/[client_mac]/policy to return the group policy that is assigned to a device in the network.
  • Issue a put /networks/[id]/clients/[mac]/policy to update the group policy assigned to a device in the network.
  • Issue a put /networks/[id]/clients/[mac]/policy to update the group policy assigned to a device in the network.

This unlocks many, many interesting use cases for automating dynamic policy assignment to clients. If you are running MR or MX and haven’t played with group policies, here’s the KB to learn more.

Client Splash API Authorization

Meraki Engineering also added a much-requested set of API calls to view and update the splash authorization status of a client.

  • Issue a get /networks/[id]/clients/[mac]/splashAuthorizationStatus to return the splash authorization for a client, for each SSID they’ve associated with through splash.
  • Issue a put /networks/[id]/clients/[mac]/splashAuthorizationStatus to update a client device’s splash authorization.

Being able to approve or withdraw client click-through splash authorization via a third party app call or backend script is useful for many enterprise organizations.

meraki client splash authorization api parameters

Summary

Companies moving towards network API automation will certainly appreciate the recent additions this week. As always, check out the official API documentation page for the latest enhancements.

If you don’t have the Dashboard API enabled today and want to get your feet wet, here’s an overview with many important details. Also feel free to checkout the cool apps Meraki’s API partners are building via the developers portal.


The Changelog series is an opportunity for to highlight the constant, behind-the-scenes updates to the Meraki cloud Dashboard that many operators aren’t aware of. Part of what makes the Cisco Meraki platform so compelling is the pace at which the Engineering and UI teams continue to iterate and improve the management experience. Featuring updates gives the community better insight into the elements being delivered. And, new is fun.